Welcome Back! In Maltego Part I we performed Personal Reconnaissance with Maltego to see what we could find out on the net about our Editor-in-Chief, Don. With the personal details tucked safely away in our notebook, lets see what we can gather in regards to his network infrastructure.

Any organization that has an Internet presence needs to have some form of infrastructure to support their presence. During Infrastructure Enumeration you attempt to discover how much of it exists, what type of infrastructure is used, where it is located, what technology is used and how it is structured. This type of information is interesting for:

* Security assessments (as this is the first and most tedious phase of any external assessment).
* Getting an idea of the organization’s Internet and geographical presence.
* Gaining insight into the technology used by the organization.
* Making connections between seemingly unconnected organizations (as they might be sharing common infrastructure).
* Getting a list of brands or affiliations supported by the organization.

Infrastructure Footprinting is essential for identifying possible systems for remote attacks. An organization’s full IP assets will normally not be readily available or determinable to a penetration tester. Therefore we have to use a combination of tools, creativity, brute forcing and luck to try to identify all the different infrastructure assets the organization owns. A good pen tester must also attempt to identify any trust or partner relationships the client may have as those partners may also be in scope for our assessment.

We’ll primarily be working off of the Infrastructure Palette for infrastructure information gathering (makes sense right). Our personal reconnaissance of Don was primarily off of the Personal Palette.

Then use the DomainToDNSName_DNSBrute transform to find as many possible domain names for digitalconstructionco.com domain. This transforms does a dictionary brute force lookup of possible domains. You can add words to the transform by going to Tools –> Manage Transforms

Figure 4: Manage Transforms Options

Click on the Display Name to sort the transforms and click on the To DNS Name [Brute] transform.

Figure 5: Selecting To DNS Name [Brute] transform

In the Transform inputs –>Optional inputs–> field (lower right) you can add additional domain name prefixes to test.

Digitalconstructionco.com didn’t yield much in the way of additional domain names. Only www (which we already knew) and ftp.

Figure 6: Results of the DomainToDNSName_DNSBrute transform for digitalconstructionco.com

Microsoft.com yields several more and shows a bit more of the power of Maltego to manage large networks.

Figure 7: Results of the DomainToDNSName_DNSBrute transform for microsoft.com

While this transform might not seem like much from our digitalconstructionco.com example, it can be handy to quickly determine that an IP address has multiple DNS names point to it. For example, in the Microsoft domain we were able to quickly and visually see that seemingly unrelated DNS names resolve to the same IPs.

Figure 9: Results of the DNSNameToIPAddress_DNS transform for parts of asia.microsoft.com

Two IP’s of asia.microsoft.com with tons of other DNS nams resolving to those IPs as well.

Figure 10: Results of the DNSNameToIPAddress_DNS transform for parts of asia.microsoft.com

You can also select an IP address and look at the Detail View to see the domain names that resolve to it.

Figure 11: Detail View for parts of asia.microsoft.com

To quickly and visually see the above, after you’ve resolved those DNS names to IPs you might want to show the ‘Edge weighted view’, which will quickly show which IP addresses are central to their organization. For more information on the views, check out the Maltego Wiki.

Figure 12: Edge Weighted View for out Microsoft IPs showing that many hosts point to two IPs

To get a quick list of (some of) their domains QUICKLY – get the NS for microsoft.com – then run NSrecordToDomain_SharedNS. It will find all the domains that share that NS. Your results versus accuracy slider will be important for this transform. Obviously the more you slide toward #of results the more results that will be returned which can be substantial depending on the nameserver.

Figure 13: Results of the NSrecordToDomain_SharedNS transform with results bar on the accuracy side.

Figure 14: Results of the NSrecordToDomain_SharedNS transform with the results bar on the results side.

We can also do a DNSNameToDomain_SharedMX transform that will show us other domains that use the same MX records, thus finding other domains that may be in scope.

Figure 15: Results of the DNSNameToDomain_SharedMX transform on microsoft.com public facing mail server

Of particular usefulness is the IPAddressToNetblock Cuts transform that allows us to break a large netblock into manageable pieces. This is important because the NetblockToDNSName SS and NetblockToDNSName RevDNS transforms only allow max 2048 lookups at a time, I normally break it up into a 256 host chunk (which is the default). This is a manageable chunk unless you are sure the domain you are looking at actually owns the full net block and you need to find all the DNS names the bruteforce transform missed. Let’s see the IPAddressToNetblock Cuts transform within the Tools–> Manage Transforms menu. We could change the block size in the optional inputs section.

A way to QUICKLY get an organization’s netblock(s) – get the NS records for microsoft.com, select all and run NSrecordToNetblock_NS4block. That transform will look on Robtex to see which netblocks those nameservers are delegated to. You very quickly have a list of netblocks to take a further look at.

Figure 19: Results of the NSrecordToNetblock_NS4block transform on one of microsoft.com’s nameservers.

We can also reverse lookup any of the netblocks 2048 hosts or less

Figure 20: Results of the NetblockToDNSName RevDNS transform.

Wrap Up

So in conclusion, we took a "black-box" approach starting just with a domain name and showed the various ways we can determine: